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1.  Introduction 


Supervisory  Control  and  Data  Acquisition  (SCAD A)  systems  collect  information  from 
sensors  and  actuafors  abouf  some  physical  environment  and  provide  an  operator 
interface  which  allows  confrol  and  reporting.  The  physical  environment  could  be  a 
power  plant,  power-distribution  network,  water-treatment  plant,  manufacturing  floor, 
petroleum  refinery,  or  any  ofher  physical  environmenf  that  requires  control  and  data 
acquisition.  As  early  as  1999  the  European  Organization  for  Nuclear  Research  was 
looking  info  using  a  SC  AD  A  sysfem  fo  control  a  laboratory  environment.^  As  late  as 
2009  Aydogmus  and  Aydogmus  discussed  the  use  of  a  SCADA  sysfem  fo  allow  sfudenfs 
to  remotely  interact  with  a  laboratory  supporting  distance  learning.^  The  data  acquired 
may  be  operationally  oriented  and  used  to  better  run  the  system,  or  it  could  be  strategic 
in  nature  and  used  to  better  run  the  company. 

SCADA  systems  play  a  critical  role  in  the  foundation  of  modern  sociefy,  and  fhere  is  a 
large  body  of  work  dedicafed  fo  defending  these  systems  from  cyber  affack.  The  purpose 
of  fhis  report  is  to  survey  and  summerize  that  work.  In  Section  2,  this  report  reviews  the 
basic  components  of  a  SCADA  archifecfure.  In  Section  3,  if  reviews  fhe  impacfs  of  some 
famous  failures  in  SCADA  sysfems.  In  Section  4,  fhis  report  discusses  the  shared  and 
unique  vulnerabilities  of  SCADA  sysfems.  In  Section  5,  if  reviews  the  countermeasures 
that  are  currently  in  place  to  protect  SCADA  systems.  In  Section  6,  the  report  provides 
some  concluding  insight  into  the  current  research  being  done  to  defend  SCADA  sysfems. 


2.  SCADA  Architecture 


Technically  fhe  SCADA  sysfem  is  composed  of  the  information  technology  (IT)  that 
provides  the  human-machine  interface  (HMI)  and  sfores  and  analyzes  the  data.  It  may 
contain  the  logic  necessary  to  operate  the  physical  environment  either  autonomously  or 
semi-autonomously.  Although  technically  not  part  of  the  SCADA  system,  SCADA 
systems  are  connected  to  the  sensors  and  actuators  via  a  complex  network  of  devices 
that  include  Front  End  Processors  (FEPs),  Intelligent  Electronic  Devices  (lEDs),  Master 
Terminal  Units  (MTUs),  Motor  Control  Centers  (MCCs),  Programmable  Logic 
Controllers  (PECs),  and  Remote  Terminal  Units  (RTUs).  FEPs  provide  a  gateway  from 
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Figure  An  example  of  SCADA  architecture  (illustration  by  the  US  DoE^) 


the  often  proprietary  protocols  and  media  used  by  the  sensor  network  to  the  general 
purpose  computer  system  that  runs  the  SCADA  system.  lEDs  are  very  small,  dedicated 
computer  systems  that  directly  coimect  to  and  control  sensors  and  actuators.  MTUs 
coimect  to  multiple  RTUs,  consolidating  the  control  and  data  traffic  from  the  RTUs  to  the 
SCADA  system.  MCCs  are  dedicated  computer  systems  that  control  the  performance  of 
an  electric  motor.  PLCs  provide  a  more  direct  interface  between  the  sensor  or  actuator  to 
the  SCADA  system  encompassing  the  functionality  of  the  lED  and  RTU  into  one  device. 
An  RTU  coimects  to  one  or  more  lEDs  and  consolidates  their  data  collection  and  control 
providing  a  gateway  between  the  lED  and  the  SCADA  system  or  MTU. 

The  figure  illustrates  a  typical  SCADA  architecture.  Notice  that  the  lEDs  and  PLCs 
coimect  directly  to  the  sensors  and  actuators  which  are  not  shown  in  this  diagram.  The 
lEDs  are  cormected  to  RTUs  or  an  FEP,  called  a  port  server/ comm  processor  in  the 
diagram.  These  are  then  connected  to  the  SCADA  system  which  consists  of  a 
communications  server,  historian,  and  application  server  and  services  several 
workstations  rurming  the  HMI. 

Early  SCADA  implementations  tended  to  be  proprietary  main-frame  systems  connected 
to  a  network  of  PLCs,  lEDs,  and  MTUs,  etc.,  with  dedicated  serial  lines  using  proprietary 
protocols  that  were  isolated  from  the  corporate  network.  In  the  early  1990s  this  was 
shifting  to  an  open  systems  and  client  server  architecture  on  Reduced  Instruction  Set 
Computing  (RISC)  platforms  running  some  version  of  UNIX.^  Around  the  turn  of  the 
millennium  work  began  on  applying  Web  technologies  to  SCADA  systems.^"^  Lately  the 
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trend  has  been  to  move  from  the  UNIX /RISC  system  to  commodity  hardware  and 
Microsoft  solutions  although  there  is  some  Linux/  to  move  from  dedicated  serial  lines  to 
Ethernet  and  even  Wireless  technologies,  to  move  from  proprietary  protocols  to 
standard  protocols,  and  to  connect  these  systems  to  the  corporate  network/  The 
proprietary  HMIs  have  given  way  to  Web-based  applications.  The  requirement  to  share 
this  information  with  customers  and  partners  has  spawned  the  implementation  of 
Web-service-based  applications.  These  migrations  have  greatly  reduced  the  cost  and 
increased  the  reliability  and  functionality  of  SC  AD  A  systems;  however,  they  have  also 
dramatically  increased  the  risks  inherent  in  them. 


3.  Impact  of  the  Failure  of  SCADA  Systems 


SCADA  systems  control  segments  of  the  infrastructure  critical  to  the  smooth  function  of 
our  society.  These  segments  include  the  production  and  distribution  of  electricity,  the 
distribution  of  water,  the  treatment  of  sewage,  the  refinement  and  distribution  of 
petroleum — ^just  to  name  a  few.^° 

Fernandez  and  Femandez^^  provide  the  following  survey  of  the  impact  of  SCADA 
failures  that  lead  to  4  major  blackouts  in  2003: 


Outage  1:  On  August  25,  2003,  more  than  100  electric  plants  were  shut 
down,  including  22  nuclear  power  plants,  affecting  50  million  people  in  the 
U.S.  and  Canada.  This  was  the  biggest  blackout  in  North  American  history, 
forcing  the  closure  of  10  major  airports,  causing  the  cancellation  of  700  flights, 
and  leaving  350,000  people  stranded  on  the  New  York  City  subway.  A  broken 
alarm  at  First  Energy,  a  northern  Ohio  utility  company,  may  have  allowed  too 
much  to  go  wrong  before  technicians  noticed  the  problem.  The  reversal  of 
power  happened  so  fast  that  operators  did  not  have  time  to  react,  and  within 
about  10  seconds,  vast  sections  of  the  grid  were  overwhelmed.  The  failed 
lines  in  Ohio  started  a  cascade  that  crashed  several  systems,  despite  a 
structure  built  for  this  type  of  defense. 

Outage  2:  On  August  29,  2003,  a  failure  of  England's  National  Electric 
Grid  caused  a  blackout  in  Central  and  Southern  London  affecting  more  than 
250,000  people,  270  sets  of  traffic  lights,  and  1,800  trains.  According  to  the 
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latest  findings,  there  was  a  fault  in  the  volt  system  that  apparently  had  not 
been  properly  maintained. 

Outage  3:  On  September  23,  2003,  Eastern  Denmark  and  Southern  Sweden 
experienced  their  worst  blackout  in  20  years.  As  maintenance  issues  have 
been  raised,  both  of  these  outages  have  thus  far  been  attributed  to  equipment 
failure. 

Outage  4:  On  September  28,  2003,  a  power  failure  left  most  of  Italy 
without  power  for  several  hours  interrupting  rail  and  air  traffic  and  jamming 
emergency  phone  lines.  Thousands  were  forced  to  take  refuge  in  Rome's 
subways.  As  investigations  revealed  more  information,  it  was  found  that  the 
Italian  response  was  either  lacking,  or  too  slow,  and  that  Italian  operators  had 
made  a  wrong  decision  when  coping  with  the  interruption  from  Switzerland 
and  France.  Consequently,  a  cascade  of  power  line  outages  resulted  within 
Italy,  and  along  its  border.^^ 


In  2011  Langer  reported  on  a  piece  of  malicious  code  that  seems  to  target  SCADA 
systems  and  the  PECs  that  they  control.  This  malicious  code  would  come  to  be  known 
as  Stuxnet.  Stuxnet  was  different  from  most  other  worms  in  that  it  appears  to  have 
limited  its  distribution  to  a  targeted  environment.  It  was  initially  introduced  via  a 
Universal  Serial  Bus  (USB)  device,  and  exploited  four  zero-day  vulnerabilities  in 
Microsoft  Operations  Systems  to  propagate  itself  throughout  the  SCADA  system.  It 
appears  to  have  been  looking  for  the  systems  used  to  download  logic  into  particular 
Seimens  PECs.  Once  it  verified  that  the  PECs  were  running  the  correct  version  of 
software,  it  would  replace  that  software  with  its  own  malicious  version.  It  appears  that 
the  intent  of  this  code  was  to  cause  centrifuges  in  an  uranium-enrichment  facility  to 
break  down.  Chen  and  Abu-Nimeh  report,  "The  site's  production  dropped  15  percent  in 
2009,  around  the  time  Stuxnet  is  believed  to  have  begun  spreading. 


4.  SCADA  Vulnerabilities 


SCADA  systems  share  some  common  vulnerabilities  in  addition  to  some  vulnerabilities 
that  are  quite  unique.  Modern  SCADA  systems  are  implemented  on  Commercial  Off  the 
Shelf  (COTS)  hardware  and  software  solutions;  therefore,  they  inherit  all  of  the 
vulnerabilities  associated  with  these  systems. Remember  Stuxnet  used  zero-day 
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vulnerabilities  in  the  Microsoft  operating  system  to  gain  access  to  the  PLCs  where  it 
installed  its  payload.  More  and  more  SCADA  systems  are  using  COTS  networking 
technologies  to  include  Ethernet  and  wireless  networking,  and  they  inherit  all  of  the 
vulnerabilities  inherent  in  them.  The  move  to  open  communication  standards  has 
dramatically  increased  the  availability  of  this  information.  Once  upon  a  time  the 
protocols  used  by  SCADA  systems  to  communicate  with  the  sensors  and  actuators  were 
proprietary  and  unavailable  to  most  people.  Today  more  than  90%  of  major  SCADA  and 
automation  vendors  have  all  of  their  manuals  and  specifications  available  on-line  to  the 
general  public. This  is  great  for  compatibility  but  not  for  security.  Many  of  the  control 
components  such  as  PLCs,  lEDs,  and  RTUs  have  very  little  additional  computing  power 
available  to  implement  increased  security  features.  COTS  IT  hardware  and  software 
have  a  life  cycle  of  3  to  5  years,  but  the  life  cycle  of  control  components  like  PLCs,  lEDs, 
and  RTUs  is  15  to  20  years.  This  implies  that  administrators  of  these  systems  are  likely  to 
be  limited  in  their  options  because  large  pieces  of  their  network  are  tied  to  technologies 
that  would  be  considered  woefully  obsolete  by  IT  standards. 


5.  SCADA  Countermeasures 


The  fact  that  SCADA  systems  are  very  important  and  vulnerable  has  been  understood,^^ 
and  a  significant  body  of  work  has  been  done  to  address  these  vulnerabilities.  Many 
researchers  and  standards  bodies  have  written  configuration  guides  for  SCADA 
systems.  There  are  several  researchers  working  vulnerability-assessment  techniques. 
Work  has  been  done  in  almost  every  area  of  intrusion  detection.  Research  is  being 
conducted  in  the  use  of  cryptography  and  key  management.  Several  people  have  created 
test  beds  for  research  into  SCADA  systems. 

5.1  Configuration  Guides 

In  2001  Paul  Oman  et  al.,  provided  an  overview  of  the  risks  to  SCADA  systems  and 
provided  16  suggestions  for  hardening  these  systems. In  2002  Jonathan  Pollet 
advocated  "Rings  of  Defense. In  2005  Calvert  Bowen  et  al.,  advocated  "Defense  in 
Depth"  and  client  puzzles.  They  also  introduce  the  concept  of  performing  a  Denial  of 
Service  (DoS)  attack  against  oneself  by  implementing  overly  expensive 
countermeasures.^ 
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In  2011  Arun  Velagapalli  et  al.,  advocated  minimizing  the  Trusted  Computing  Base  for 
SCADA  systemsd^  Many  government  and  industry  agencies  have  published 
comprehensive  guidelines^® 

There  are  limits  to  the  effectiveness  of  configuration  guides.  If  they  are  too  complicated 
or  expensive  to  implement,  they  will  often  be  ignored  unless  some  regulatory  pressure 
exists  to  enforce  them.  In  the  IT  field,  configuration  guides  seem  to  suffer  from  a  rapidly 
moving  target.  By  the  time  a  configuration  guide  can  be  written,  tested,  vetted,  and 
approved  the  Operating  System  vendor  has  already  released  the  next  version  requiring 
the  configuration  guide  to  be  rewritten,  tested,  vetted,  and  approved.  It  is  not  at  all 
unusual  for  systems  in  tightly  regulated  areas  to  be  at  least  a  version  behind  what  is 
being  currently  offered.  This  means  that  brand  new  systems  are  being  purchased  with  an 
operating  system  that  is  at  least  one  version  behind  the  latest.  Given  a  life  cycle  of  3  to  5 
years,  organizations  are  often  racing  to  upgrade  before  their  systems  reach  their  end  of 
life.  These  configuration  guides  are  often  publicly  available  in  order  to  ensure  that  the 
people  who  need  them  can  get  them;  however,  that  means  that  we  must  assume  that  the 
adversary  has  them  as  well. 

5.2  Vulnerability  Assessments 

Some  very  interesting  work  has  been  done  to  try  to  quantify  the  vulnerability  of  SCADA 
systems.  In  2004  Eric  Byres  et  al.,  used  attack  trees  to  analyze  the  vulnerabilities  in  the 
MODBUS/TCP  SCADA  protocol. This  work  has  direct  application  to  protocol  design 
and  may  make  the  next  generation  of  protocols  more  secure.  In  2006  Miles  McQueen  et 
al.,  used  a  directed  compromise  graph  to  determine  the  impact  measured  in 
time-to-compromise  of  security  measures  on  a  small  SCADA  system.  He  found  an  86% 
reduction  in  vulnerabilities  could  yielded  a  30%  increase  in  time-to-compromise.^°  In 
2007  Chee-Wooi  Ten  et  al.,  proposed  using  attack  trees  to  provide  a  quantitative 
vulnerability  assessment  of  a  power  plant's  SCADA  system.^^  In  2008  he  refined  this 
approach;  however,  his  models  do  not  include  OS  Vulnerabilities.^^  All  of  these  efforts 
are  interesting  proofs  of  concepts;  however,  their  focus  is  so  small  as  to  bring  into  doubt 
whether  their  results  would  scale  to  real-world  systems. 

5.3  Network  Intrusion  Detection 

There  are  basically  2  camps  in  network-intrusion  detection:  systems  based  upon 
signature  detection  and  systems  based  upon  anomaly  detection.  The  signature-based 
systems  look  for  traffic  known  to  be  malicious.  The  most  popular  and  effective  system 
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deployed  to  protect  networks  today  are  signature-based.  Signature  based  can  be  very 
efficient  and  provide  a  low  false-positive  rate;  however,  they  lack  the  ability  to  detect 
zero-day  attacks.  In  other  words,  they  are  always  behind  the  adversary  because  the 
signature  cannot  be  written  until  someone  has  already  been  exploited. 
Anomaly-detection  systems  work  by  learning  what  normal  or  benign  traffic  is  and 
reporting  on  any  abnormal  traffic.  These  sysfems  have  the  potential  to  detect  zero-day 
exploits;  however,  it  turns  out  that  the  complexity  of  modern  nefworks  makes 
discovering  what  normal  or  benign  traffic  is  a  very  difficult  problem.  Historically  these 
systems  generate  a  significant  number  of  false-positive  alerfs. 

In  the  anomaly-detection  camp  are  Steven  Cheung  et  al.,  who  in  2007  proposed  using 
model-based  intrusion  detection  specifically  for  SCADA  networks  that  use 
MODBUS/TCP,^^  and  Wei  Gao  et  al.,  who  in  2010  proposed  using  a 
neural-network-based,  intrusion-detection  system.^^  Cheung  and  Gao  both  assumed  that 
the  greater  simplicity  of  SCADA  sysfems  and  nefworks  would  allow  fhem  to  get  an 
accurate  enough  picture  of  normal  or  benign  fraffic  fhaf  fhe  number  of  false  positives 
would  be  acceptable.  They  were  able  to  present  a  proof  of  concepf;  however,  their 
research  was  so  tightly  focused  fhaf  if  is  nof  clear  fhat  fheir  resulfs  would  scale  fo 
real-world  sysfems.  Cheung  focused  upon  one  communication  profocol  ouf  of  the  many 
that  are  in  use  in  SCADA  environments.  Gao  focused  on  only  one  attack  vecfor  ouf  of 
the  many  that  exist. 

In  2007  Paul  Oman  and  Matthew  Phillips  explored  intrusion  detection  based  upon 
pattern  recognition.^^  Oman's  system  was  more  traditional  signature-based  with  an 
anomaly-detection  twist.  He  did  do  some  very  interesting  work  in  the  automated 
creation  of  his  signafures.  He  was  able  fo  describe  the  correct  operation  of  various 
devices  and  wrife  rules  fhaf  would  fire  if  the  traffic  didn'f  mafch  fhat  pattern.  The 
greatest  limitation  here  is  that  rules  would  have  to  be  written  for  every  device  in  a 
SCADA  nefwork.  This  would  be  a  very  daunting  fask  for  any  organization  that  had  a 
primary  mission  other  than  research.  It  is  this  author's  opinion  that  the  only  way  this 
might  be  able  to  scale  would  be  if  vendors  provided  rule  sefs  with  their  systems. 

5.4  Cryptography 

SCADA  systems  have  the  same  authentication  and  confidentiality  issues  that  are  often 
addressed  in  other  computer  systems  using  cryptography.  Encrypting  the  traffic  should 
profecf  ifs  confidenfialify.  The  use  of  crypfographic  signafures  may  be  used  to  validate 
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authentication.  One  could  envision  securing  the  MODBUS/TCP  and  similiar  protocols 
by  adding  a  Secure  Socket  Layer  much  the  same  way  that  the  Hyper  Text  Transport 
Protocotol  was  secured.  In  order  to  do  this,  crytographic  modules  would  have  to  be 
installed  on  all  devices  for  both  Rivest  Shamir  Adleman  (RSA)  public  key  crytopgrphy 
and  the  Adanced  Encyption  Standard  (AES)  symmetric  key  cryptography.  RSA  is  used 
for  authentication  and  key  exchange,  and  AES  is  used  to  encypt  the  session.  That  is  a  lot 
of  software  to  load  on  these  devices  and  a  lot  of  computing  to  expect  some  of  these 
devices  to  perform  quickly  enough  to  maintain  their  real-time  requirements.  An 
additional  problem  with  all  cyrptographic  systems  is  the  distribution  of  keys.  This 
problem  is  exacerbated  in  a  SCADA  system  because  of  the  limited  computing  power, 
small  bandwidth,  and  disconnected  nature  of  the  components.  In  2006  Robert  Dawson  et 
al.,  proposed  the  SCADA  Key  Management  Architecture  as  a  replacement  for  SCADA 
Key  Establishment.^^  In  2008  Ludovic  Pietre-Cambacedes  surveyed  key  management 
technologies  for  SCADA  documenting  Key-server,  Point-to-point,  Standard  Public  Key 
Infrastructure  (PKI),  and  Customized  PKI  architectures.^^ 

The  long  life  cycle  of  this  equipment  presents  a  further  challenge.  A  new  protocol 
invented  today  may  take  15  to  20  years  to  fully  deploy.  Additionally  the  strength  of 
cryptography  relies  on  certain  problems  being  computationally  infeasible.  Moore's  Law 
implies  that  what  is  computationally  infeasible  today  will  be  feasible  tomorrow.  Por 
example  the  Data  Encyption  Standard  (DES)  had  a  56-bit  key.  When  DES  was 
developed,  it  was  computationally  infeasible  to  attempt  every  56-bit  combination  to 
decode  a  message.  Today  brute-forcing  a  56-bit  DES  key  can  be  done  very  quickly.  Given 
a  15-  to  20-year  life  cycle,  it  is  possible  that  the  infeasibility  assumptions  will  be  invalid 
before  the  system  is  fully  deployed. 

5.5  Test  Beds 

Since  most  production  SCADA  systems  are  too  valuable  to  use  for  research  and  most 
research  organizations  cannot  afford  to  stand  up  a  SCADA  system,  there  has  been  a 
significant  amount  of  work  in  creating  SCADA  test  beds.  Oman  was  able  to  use  the 
University  of  Idaho's  Electrical  Engineering  Power  Laboratory,  "a  fully  functioning 
high-voltage  facility."^^  In  2008  Aimarita  Giani  et  al.,  described  the  SGADA  test  bed  that 
they  built  to  test  DoS,  Integrity,  and  phishing  attacks.^^  In  2011  Thomas  Morris  et  al., 
described  the  Mississippi  State  University  SGADA  security  laboratory.^® 
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6.  Conclusions 


SCADA  systems  are  high-value  targets  where  failure  has  the  potential  to  cause  massive 
amounts  of  damage.  The  life  cycle  of  SCADA  equipment  means  that  some  elements 
would  be  considered  obsolete  by  computing  standards.  Configuration  guides  are  good 
but  will  not  be  effective  unless  they  are  easy  to  understand  and  inexpensive  to 
implement.  Quantitative  vulnerability-assessment  techniques,  although  impressive,  are 
of  very  narrow  focus  and  based  upon  assumptions.  Intrusion-detection  work  is 
significantly  behind  the  same  efforts  in  traditional  network  systems  and  what  is  being 
done  is  very  highly  focused  on  one  particular  technology.  Older  PLCs  with  low 
computing  power  make  cryptography  difficult  to  implement.  Limited  network 
connectivity  makes  key  management  difficult  as  well. 
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List  of  Symbols,  Abbreviations,  and  Acronyms 


AES 

Advanced  Encryption  Standard 

COTS 

Commercial  Off  The  Shelf 

DES 

Dafa  Encryption  Standard 

DoS 

Denial  of  Service 

EEP 

Eronf-End  Processor 

HMI 

human-machine  inferface 

lED 

Infelligenf  Elecfronic  Device 

IT 

information  technology 

MCC 

Motor  Control  Center 

MTU 

Master  Terminal  Unit 

OS 

operating  system 

PKI 

Public  Key  Infrastructure 

PEC 

Programmable  Logic  Controller 

RISC 

Reduced  Instruction  Set  Computing 

RSA 

Rivest  Shamir  Adleman 

RTU 

Remote  Terminal  Unit 

SCADA 

Supervisory  Control  And  Data  Acquisition 

USB 

Universal  Serial  Bus 
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